[Snort-users] Re: Snort Behind IPtables, contradicting evidence...

JSeddon at ...2969... JSeddon at ...2969...
Thu Sep 27 21:34:01 EDT 2001


Oinkers Bob and John,

     Thanks!  That makes perfect sense and I should've known that!  To sum
up for the archives...When you have snort sitting behind iptables, snort
sees every packet coming in (same as iptables).  However, since iptables
denies connections, before the 3 way handshake is complete, you won't
probably see nearly as many alerts.  The packets with the exploit data that
snort is going to alert on come AFTER the connection is established (3-way
handshake done).  So with iptables denying connections, the data to trigger
alerts doesn't show up at the box at all.

     Thanks again for your help!  I can sleep better in my pen tonight....

Piglet James





More information about the Snort-users mailing list